Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,231
CVE-linked
1,858
Programs
342
New This Week
12
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
XXE through injection of a payload in the XMP metadata of a JPEG file
Informatica XML External Entities (XXE) (CWE-611)
Critical
2020-04-21
Blind SSRF at https://chat.makerdao.com/account/profile
BlockDev Sp. Z o.o Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2020-04-14
Information Leak (Github)
Equifax-vdp
Critical
2020-04-09
[utils-extend] Prototype pollution
Node.js third-party modules Modification of Assumed-Immutable Data (MAID) (CWE-471)CVE-2020-8147
Critical
2020-04-02
[Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation
Shopify
Critical
2020-04-01
Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO
Shopify
Critical
2020-04-01
China – Limited Partner PII Regarding Work Scheduling via Unauthenticated API Endpoint
Starbucks Information Disclosure (CWE-200)
Critical
2020-04-01
Malformed NAV file leads to buffer overflow and code execution in Left4Dead2.exe
Valve Classic Buffer Overflow (CWE-120)
Critical
2020-03-25
Able to Become Admin for Any LINE Official Account
LY Corporation Privilege Escalation (CAPEC-233)
Critical
2020-03-25
Flaw in Change Email https://youtu.be/MMvlcHIGs2A
Staging.every.org Violation of Secure Design Principles (CWE-657)
Critical
2020-03-24
SSRF in the Custom Integration Webhook discloses AWS metadata
Dynatrace Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2020-03-23
Docker image with FPM is vulnerable to CVE-2019-11043
Nextcloud Code Injection (CWE-94)CVE-2019-11043
Critical
2020-03-14
Mass account takeovers using HTTP Request Smuggling on https://slackb.com/ to steal session cookies
Slack HTTP Request Smuggling (CWE-444)
Critical
2020-03-12
TURN server allows TCP and UDP proxying to internal network, localhost and meta-data services
Slack Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2020-03-12
Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/
Starbucks Path Traversal (CWE-22)
Critical
2020-03-10
HTTP request smuggling using malformed Transfer-Encoding header
Node.js HTTP Request Smuggling (CWE-444)CVE-2019-15605
Critical
2020-03-07
(Authenticated) RCE by bypassing of the .htaccess blacklist
Nextcloud Code Injection (CWE-94)
Critical
2020-03-01
Prototype pollution in multipart parsing
Node.js third-party modules Uncontrolled Resource Consumption (CWE-400)CVE-2020-8136
Critical
2020-02-28
sdrc.starbucks.com - Information Disclosure via unsecured attachment directory
Starbucks Information Disclosure (CWE-200)
Critical
2020-02-26
[yarn] yarn.lock integrity & hash check logic is broken
Node.js third-party modules Business Logic Errors (CWE-840)CVE-2019-15608
Critical
2020-02-26
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl447
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239